[Dshield] Malicious probes, or YAWM*?

John Sage jsage at finchhaven.com
Sun Jan 19 16:14:08 GMT 2003


*Yet Another Window$ Misconfiguration

Saw this; seems odd, or perhaps I just haven't noticed before: TCP:445
and TCP:80 with an http OPTIONS request.

He was quite persistent; 127 packets to 445, 15 to 80.

===============================================================================

Snort processed 142 packets.
Breakdown by protocol:                Action Stats:

    TCP: 142        (100.000%)        ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================


[toot at sparky /tmp]# host 12.47.108.129
129.108.47.12.in-addr.arpa. domain name pointer ky108-129.netburner.net.


input: snort-0118 at 1654.log
filter: ip and ( src host 12.47.108.129 )
#
T 2003/01/18 22:27:52.268196 12.47.108.129:2095 -> 12.82.128.209:445 [S]
#
T 2003/01/18 22:27:52.758243 12.47.108.129:2095 -> 12.82.128.209:445 [A]
#
T 2003/01/18 22:27:52.798366 12.47.108.129:2095 -> 12.82.128.209:445 [AF]
#
T 2003/01/18 22:27:53.068228 12.47.108.129:2105 -> 12.82.128.209:445 [S]
#
T 2003/01/18 22:27:53.248323 12.47.108.129:2095 -> 12.82.128.209:445 [A]
#
T 2003/01/18 22:27:53.548304 12.47.108.129:2105 -> 12.82.128.209:445 [A]
#
T 2003/01/18 22:27:53.628294 12.47.108.129:2105 -> 12.82.128.209:445 [AP]
  00 00 00 85 ff 53 4d 42    72 00 00 00 00 18 53 c8    .....SMBr.....S.
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 ff fe    ................
  00 00 00 00 00 62 00 02    50 43 20 4e 45 54 57 4f    .....b..PC NETWO
  52 4b 20 50 52 4f 47 52    41 4d 20 31 2e 30 00 02    RK PROGRAM 1.0..
  4c 41 4e 4d 41 4e 31 2e    30 00 02 57 69 6e 64 6f    LANMAN1.0..Windo
  77 73 20 66 6f 72 20 57    6f 72 6b 67 72 6f 75 70    ws for Workgroup
  73 20 33 2e 31 61 00 02    4c 4d 31 2e 32 58 30 30    s 3.1a..LM1.2X00
  32 00 02 4c 41 4e 4d 41    4e 32 2e 31 00 02 4e 54    2..LANMAN2.1..NT
  20 4c 4d 20 30 2e 31 32    00                          LM 0.12.       
#
T 2003/01/18 22:27:54.038328 12.47.108.129:2105 -> 12.82.128.209:445 [AF]
#
T 2003/01/18 22:28:00.589000 12.47.108.129:2154 -> 12.82.128.209:80 [S]
#
T 2003/01/18 22:28:01.029044 12.47.108.129:2154 -> 12.82.128.209:80 [A]
#
T 2003/01/18 22:28:01.109091 12.47.108.129:2154 -> 12.82.128.209:80 [AP]
  4f 50 54 49 4f 4e 53 20    2f 20 48 54 54 50 2f 31    OPTIONS / HTTP/1
  2e 31 0d 0a 74 72 61 6e    73 6c 61 74 65 3a 20 66    .1..translate: f
  0d 0a 55 73 65 72 2d 41    67 65 6e 74 3a 20 4d 69    ..User-Agent: Mi
  63 72 6f 73 6f 66 74 2d    57 65 62 44 41 56 2d 4d    crosoft-WebDAV-M
  69 6e 69 52 65 64 69 72    2f 35 2e 31 2e 32 36 30    iniRedir/5.1.260
  30 0d 0a 48 6f 73 74 3a    20 31 32 2e 38 32 2e 31    0..Host: 12.82.1
  32 38 2e 32 30 39 0d 0a    43 6f 6e 74 65 6e 74 2d    28.209..Content-
  4c 65 6e 67 74 68 3a 20    30 0d 0a 43 6f 6e 6e 65    Length: 0..Conne
  63 74 69 6f 6e 3a 20 4b    65 65 70 2d 41 6c 69 76    ction: Keep-Aliv
  65 0d 0a 0d 0a                                        e....           
#
T 2003/01/18 22:28:01.599127 12.47.108.129:2154 -> 12.82.128.209:80 [A]
#
T 2003/01/18 22:28:01.619182 12.47.108.129:2154 -> 12.82.128.209:80 [AF]
#
T 2003/01/18 22:28:01.629143 12.47.108.129:2159 -> 12.82.128.209:445 [S]
#
T 2003/01/18 22:28:02.289221 12.47.108.129:2159 -> 12.82.128.209:445 [A]
#
T 2003/01/18 22:28:02.339248 12.47.108.129:2159 -> 12.82.128.209:445 [AP]
  00 00 00 85 ff 53 4d 42    72 00 00 00 00 18 53 c8    .....SMBr.....S.
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 ff fe    ................
  00 00 00 00 00 62 00 02    50 43 20 4e 45 54 57 4f    .....b..PC NETWO
  52 4b 20 50 52 4f 47 52    41 4d 20 31 2e 30 00 02    RK PROGRAM 1.0..
  4c 41 4e 4d 41 4e 31 2e    30 00 02 57 69 6e 64 6f    LANMAN1.0..Windo
  77 73 20 66 6f 72 20 57    6f 72 6b 67 72 6f 75 70    ws for Workgroup
  73 20 33 2e 31 61 00 02    4c 4d 31 2e 32 58 30 30    s 3.1a..LM1.2X00
  32 00 02 4c 41 4e 4d 41    4e 32 2e 31 00 02 4e 54    2..LANMAN2.1..NT
  20 4c 4d 20 30 2e 31 32    00                          LM 0.12.       
#
T 2003/01/18 22:28:02.879240 12.47.108.129:2159 -> 12.82.128.209:445 [AF]
#
:
<snip-a-lot>
:
T 2003/01/18 22:30:03.951536 12.47.108.129:3242 -> 12.82.128.209:445 [S]
#
T 2003/01/18 22:30:04.551664 12.47.108.129:3242 -> 12.82.128.209:445 [A]
#
T 2003/01/18 22:30:05.661757 12.47.108.129:3242 -> 12.82.128.209:445 [AP]
  00 00 00 85 ff 53 4d 42    72 00 00 00 00 18 53 c8    .....SMBr.....S.
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 ff fe    ................
  00 00 00 00 00 62 00 02    50 43 20 4e 45 54 57 4f    .....b..PC NETWO
  52 4b 20 50 52 4f 47 52    41 4d 20 31 2e 30 00 02    RK PROGRAM 1.0..
  4c 41 4e 4d 41 4e 31 2e    30 00 02 57 69 6e 64 6f    LANMAN1.0..Windo
  77 73 20 66 6f 72 20 57    6f 72 6b 67 72 6f 75 70    ws for Workgroup
  73 20 33 2e 31 61 00 02    4c 4d 31 2e 32 58 30 30    s 3.1a..LM1.2X00
  32 00 02 4c 41 4e 4d 41    4e 32 2e 31 00 02 4e 54    2..LANMAN2.1..NT
  20 4c 4d 20 30 2e 31 32    00                          LM 0.12.       
#
T 2003/01/18 22:30:06.181842 12.47.108.129:3242 -> 12.82.128.209:445 [AF]
#
T 2003/01/18 22:30:10.032182 12.47.108.129:3246 -> 12.82.128.209:80 [S]
#
T 2003/01/18 22:30:10.522301 12.47.108.129:3246 -> 12.82.128.209:80 [A]
#
T 2003/01/18 22:30:10.622279 12.47.108.129:3246 -> 12.82.128.209:80 [AP]
  4f 50 54 49 4f 4e 53 20    2f 20 48 54 54 50 2f 31    OPTIONS / HTTP/1
  2e 31 0d 0a 74 72 61 6e    73 6c 61 74 65 3a 20 66    .1..translate: f
  0d 0a 55 73 65 72 2d 41    67 65 6e 74 3a 20 4d 69    ..User-Agent: Mi
  63 72 6f 73 6f 66 74 2d    57 65 62 44 41 56 2d 4d    crosoft-WebDAV-M
  69 6e 69 52 65 64 69 72    2f 35 2e 31 2e 32 36 30    iniRedir/5.1.260
  30 0d 0a 48 6f 73 74 3a    20 31 32 2e 38 32 2e 31    0..Host: 12.82.1
  32 38 2e 32 30 39 0d 0a    43 6f 6e 74 65 6e 74 2d    28.209..Content-
  4c 65 6e 67 74 68 3a 20    30 0d 0a 43 6f 6e 6e 65    Length: 0..Conne
  63 74 69 6f 6e 3a 20 4b    65 65 70 2d 41 6c 69 76    ction: Keep-Aliv
  65 0d 0a 0d 0a                                        e....           
#
T 2003/01/18 22:30:11.192367 12.47.108.129:3246 -> 12.82.128.209:80 [A]
#
T 2003/01/18 22:30:11.222455 12.47.108.129:3246 -> 12.82.128.209:80 [AF]
#
<snip more...>



- John
-- 
Has the preparation
of your heart been ready?
Almost, calm down.

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list